CTF Creators Competition - Notes For Creators

creators{contents}

  • challenge_submission_guidelines

    • submission_details
    • submission_requirements
    • submission_testing

  • flag_format

  • available_tools

  • challenge_categories

  • difficulty_rating

  • judging

    • criteria
    • prizes
    • competition_timeline

  • Links

    • example_challenges
    • discords

creators{challenge_submission_guidelines}

creators{submission_details}

A single zip file containing the following:

  • Challenge name
  • Challenge description
  • Challenge files
  • Author name
  • Flag
  • Writeup (Important information about your challenge & the intended solution)
  • Source code (if it has any)

creators{submission_requirements}

Challenge Creators can not be of eligible competitor age.

Challenges must be new and not have appeared anywhere publicly before Competition Day. It goes without saying, don't discuss or share information about your challenge builds and solutions in any forum that could reach competitors and give advantage.

Challenges should be suitable for an under-aged audience. Challenge submissions will be audited, and you may be contacted if any changes need to be made to ensure suitability of the challenge for purpose.

Attribution and use

  • Challenge authors will be credited alongside their challenge on the PECAN+ CTF competition website. You will be provided with a certificate of recognition after the event.

  • The submission of a challenge implies permission for its use for PECAN+ CTF and related activites at the discretion of the event organisers.

Use of creative commons and copywrite materials

  • If using images, sound files etc in your build that have been sourced from creative commons, please check usage permissions and include appropriate attributions where required.

The challenge must use the pecan{} flag format

The challenge should be solvable with available tools

creators{submission_testing}

Attempt to solve with reading solution

Ensure that the challenge is straightforward

  • Hints provided
  • Direction given
  • Only includes minor red herrings

Age appropriate

Correct Creative Commons attributions

Check for unintended solutions (grep / strings)

Hunt bugs

Dockerfile configured correctly

  • If you don't know what a dockerfile is, then you don't need it. Don't worry, neither do I and I have created several challenges for PECAN+.

Judge the approximate challenge difficulty. (More information can be found in this document under difficulty_rating)

creators{flag_format}

The flag format is pecan{} case insensitive, eg pecan{funny_1337-$peaK_pHras3}

Wherever possible, make the flag a simple ASCII string that players discover to solve the challenge, and not something complex like pecan{< md5(name of target)>< date of event>< function address>}. These formats are ambiguous. Does the date use dots, slashes, or dashes as separators? How should the name be capitalised? Is the function address in hex? etc.

There are times when you cannot follow the format, such as in OSINT challenges (e.g., "What building was the hacker hiding in?") or in forensics challenges where the flag could possibly be grepped out (for this, consider using a base64 encoded string instead if it works contextually). If you cannot follow the flag convention, provide an additional statement in your challenge description to avoid ambiguity - e.g., "the flag is the home address: pecan{< number>< street>< suburb>_< state>}".

Avoid brute-forcible flags - e.g., "What city was the attacker hiding in?".

creators{available_tools}

Web-based Kali containers will be provided to competitors.

  • Uses KASM Workspaces + Kali Linux toolkit

Online tools:

  • CyberChef
  • Crackstation
  • dCode
  • Google Earth
  • Flightradar24

Discord (This is not for sharing answers/walkthroughs or writeups during competition)

creators{challenge_categories}

Binary exploitation

Reverse engineering

Cryptography

Web exploitation

Digital Forensics

Open-source Intelligence (OSINT)

Miscellaneous

creators{difficulty_rating}

The submission form will prompt you for a difficulty rating.

There is no perfect rating for challenges, so just make a guess. After all, the people testing these challenges will know it's difficulty better than the creator. Time used to solve is typically a good indicator.

The challenges will be dynamically scored based on number of solves for fairness. If a challenge is rated Expert and scored 500 points, but almost everyone manages to solve it, the score will scale back to a fair value.

The minimum points given will be 50(Super Easy) and the maximum 500(Expert).

Tier Expected Difficulty

  • Super Easy (100 points)
    • Should be trivial; for absolute beginners & introducing simple concepts
  • Easy (200 points)
    • Solvable by anyone with a decent level of problem solving and Googling skills
  • Medium (300 points)
    • Expands on fundamental concepts and requires deeper thinking, but all should fare well
  • Hard (400 points)
    • Requires more time, critical thinking, and research, but still solvable by the majority
  • Expert (500 points)
    • Requires great effort to solve. Background knowledge is preferred but not essential

creators{judging}

creators{criteria}

  • Fun to solve

    • A challenge can be a boring slog, a confusing maze, or a frustrating exercise in futility. However, they can also be a fun adventure that leaves you with a sense of accomplishment when you cross that final obstacle.

  • Theming

    • Even in a challenge of technical skill and knowledge creativity is key. However, don't forget to make sure that the pieces of your challenge fit into a cohesive whole and make sense when put together.

  • Educational value

    • A good challenge should guide a competitor to engage with the challenges underlying concepts and principles.

  • Real world value

    • Technical knowledge is all well and good, but how does the challenge reflect the reality of working a job in the domain of computer science.

  • Depth of challenge

    • Depth of challenge is how much the challenge draws in the participant and engages them, challenges shouldn't be solvable in less than a minute, they should take some time and thought.
    • Not to be confused with complexity for the sake of complexity.

creators{prizes}

🏆 First Prize: ACS Compendium, ACSC Water Bottle, $50 Steam Gift Card

🥈 Second Prize: Microsoft Backpack, ECU Cooler Bag, $35 Steam Gift Card

🥉 Third Prize: ASD Flashlight, ECU Puzzle, Sapien Camera Cover, $20 Steam Gift Card

🎖️ Most Effort Prize: Sapien Shirt, Sapien Mug, Sapien Camera Cover

creators{competition_timeline}

  • Competition 7th of April - 16th of May

  • Results will be announced after the judging is finalized at the beginning of June.

creators{example_challenges}

Gain experience with CTF's with example challenges

creators{discords}

Find helpful resources (People and Documents) in both the CASSA and RedRoom Discords